Android app uproar sparks debate over open app store model

An Android Marketplace application has been accused of attacking files. Ars …

An Android Market application has become the center of a fire storm of controversy after users accused it of wiping data from memory cards and spamming contacts. MemoryUp Personal, distributed by eMobieStudio, is meant to optimize system memory by taking control of the Java Virtual Machine to reclaim unused memory. Whether it actually achieves that goal has been a matter of discussion on the Android Community forum for a few weeks; forum members have not been convinced of its actual efficacy. This past weekend, however, reports started appearing that MemoryUp was erasing files. According to a post at geek.com, users complained that their SD cards "were wiped totally clean." Other accusations grew, suggesting that MemoryUp was sending spam using onboard contact information, removing calendar items, corrupting memory and placing adware onto the G1.

So is MemoryUp a harmful application? Did it actually do the things that it was accused of? Ars doubts the claims. A Google spokesperson told Ars that it has investigated MemoryUp and determined that it is not malware, stating, "In the versions we tested, MemoryUp cannot perform any of the malicious things it is reported to have done."

As ReadWriteWeb points out, the MemoryUp application required no special installation privileges. If these privileges were not granted during installation, it remains unlikely that the software would be able to work its way around Android's security sandboxing to do the things it has been accused of doing. Google told Ars that Android was designed "to minimize the impact of poorly programmed or malicious applications on the device." The Android sandbox limits an application's interaction with user data, system resources, and with other applications on the device.

To be fair, I've been told by Android developer Disconnect of andblogs.net that deleting files from SD cards would not require special permissions, but Google insiders, speaking off the record, reinforce that MemoryUp simply did not do so.

What is clear, though, is that MemoryUp Personal has not been a popular release. Its reviews in the Marketplace have been almost universally negative, with many questioning its effectiveness and ability to produce the results that it lays claim to. The product was widely disliked, and it engendered a lot of negative feeling both in the Marketplace and in community forums.

Peter Liu, the MemoryUp developer, told Register Hardware that the allegations were not disruptive and that the rumors were unfounded. Robert Lee, of MemoryUp, when contacted by Ars, stated that MemoryUp is a simple application that does not use permissions to access user data, SD Cards or connect to the Internet.

Open versus closed

The biggest fallout so far for the MemoryUp situation has been the discussion of whether the Android Marketplace should adopt a review model similar to Apple's App Store. In App Store, products must conform to strict security, usability, and appropriateness guidelines before they're allowed to be sold. The Marketplace, in contrast, has provided an open forum for all comers.

With lingering questions about MemoryUp, which has now been pulled from the Marketplace, some voices are asking whether Android Marketplace should adopt some sort of screening criteria before allowing applications to reach distribution channels. Should Google adopt the Apple model?

Google set up MarketPlace to provide the most accessible distribution network possible. Google's philosophy is this: "[W]e feel that developers should have an open and unobstructed environment to make their content available." The open market philosophy is based on the idea of self correction, that users will promote the best items and police the bad ones without adding the kind of oversight layer required by Apple. The Google spokesperson told us that when "an application is deemed harmful or inappropriate, users can flag it, give it a low rating, leave a detailed comment, and of course, remove it from their device. Once flagged by users, applications are reviewed and harmful or inappropriate applications are removed from the Market. Abusive developers can also be blocked from using the Android Market for repeated or egregious violations of our policies."

It's a philosophy that is both appealing and fraught with possible problems. As BoingBoing predicted back in August, "[O]ne wonders if Google is setting themselves up for a logistical nightmare here: if developers can put through malicious code with no fail check, Google might spend more time pulling down apps than it would actually take to approve them individually and put them up." Please note that Apple's review process has been inconsistent in its application. Individual review and approval does not guarantee that malicious software would (or could) be caught before it hit the App Store shelves.

It seems unlikely that MemoryUp Personal caused the problems it has been accused of, yet the entire situation has thrown a spotlight onto the way Android Market works. To date, we've seen a rapid community response that validates the ability of the Marektplace to self correct. Unfortunately, that response seems to have been to an imaginary threat.